May 13, 2015 at 12:51Forensics and steganography in a video file: analysis of tasks of the online stage NeoQUEST-2015
The last online stage of the annual cybersecurity competition NeoQUEST-2015 was extremely rich in interesting and non-trivial tasks! In this article we:- Let’s deal with the steganography of video files and the esoteric programming language Piet, analyzing the task “The Truth Inside”
- we’ll get into the shoes of a computer forensic scientist, work with TrueCrypt and answer the question “Was there a key?”
Great news: NeoQUEST 2015 intramural date approved! The event will be held July 2 (Thursday) in St. Petersburg, in the CLUB HOUSE ! As before, admission is free - you just need to register on our website .
1. “Truth inside” - steganography in the video
Download the apple.avi file, the link to which is given in the task. We draw attention to the hint in the text of the legend to the task, hinting that comparing the received video with the original video on the Apple channel will help you understand what to do next! We go to youtube.com, look for our video on the Apple channel.
Download it with any service to save videos from youtube.com in .flv format. Why in .flv? Well, it’s not in vain that the task for some reason mentioned recently installed flv codecs.
It would be logical to compare these two videos frame by frame, for this we use the software solution ffmpeg . We split both videos into frames, each in its own directory:
ffmpeg -i ./youtube.flv ./1/%d.png
ffmpeg -i ./apple.avi ./2/%d.png
For comparison, directory synchronization in Total Commander is suitable:
The screenshot shows frames that are different in both videos, there are 24 of them. Let's try to compare any pair of frames, for example, the 21st. To do this, use ImageMagic :
compare.exe 21.png 21.2.png diff.png
In the upper left corner we see a rectangular area. In a detailed study, we understand that the least significant bit changes in the red channel of pixels. Hiding low bits is a fairly common steganography technique. We have 24 frames, with the modified low-order bits in a rectangular area. 24 bits is enough to encode 3 bytes of pixel color.
Now you need to assemble the image from the lower bits, for this we use Python and, for example, PIL :
It is easy to guess that we have a program in the esoteric programming language Piet . You will have to tinker a bit with the interpreter, after which the program displays a message containing the key to the task:
“Hello! Secret Key: 8aec4bb34fbdd11c2aef4fea391b4fe2 »
2. “Was there a key?” - forensic and TrueCrypt
Participants were given a disk dump, in which they needed to find the key. Passage can be divided into the following stages:
- Disk mount
- Search for installed software
- Search for encrypted logical drive
- Search volume encryption key
- Search for a key to the task
Mounting a
Windows 7 - 8.1 drive allows you to mount a disk image without additional software. On other operating systems, you can use Virtual Box, VMWare, and other virtualization software for mounting.
After mounting in Windows 8.1, 2 disks will appear.
The contents of the system disk: A
disk with user data, which, of course, interests us first of all:
Search for installed software
It is necessary to enable the display of hidden and system files, after which we check the main folders Program Files and Program Files (x86), where the program TrueCrypt is located. TrueCrypt - a computer program for encryption on the fly. It allows you to create a virtual encrypted logical drive stored as a file.
Search for encrypted logical drive
The description of the program indicates that using it you can create a virtual encrypted logical drive. To find this drive, use the TChunt program .
tchunt.exe -d ../ > tchunt.txt
Open the file tchunt.txt
File X: \ Users \ JohnSmith \ files and there is an encrypted container.
Search volume encryption key
At the root of the disk is a Dali folder. Among all the images there is a key.jpg file. Based on this, we can assume that it is not a password that is used, but a file key. When trying to substitute this file as a key for the container, TrueCrypt reports an incorrect password.
From which we can conclude that the key is either hidden in the key.jpg file, or deleted, or key.jpg is completely unrelated to the encrypted disk. We’ll check the simplest version - the file has been deleted (a logical action if you were suddenly sent for you!).
We restore key-x.jpg and try to use it as a key - the virtual disk is successfully mounted!
Search for a key to the task
There is a very large number of files on the disk (all with the extension .jpg) and the key is most likely hidden in one of them. Let's try to check the latest open files with this extension in the system, for this you need to go into the registry of the installed OS. If the hard drive is mounted on a virtual machine, then just run the regedit command. If not, then you need to connect the necessary part of the registry - hive.
To do this, click File> Load Hive and select X: \ Users \ JohnSmith \ NTUSER.dat. Next, go along the path: Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RecentDocs \ .jpg
Among the contents and the names of the last opened files are indicated. We sort through them and check the presence of a key in the image.
The key appeared on the image "Peter I on a dog hunt.jpg"
And that's not all!
Ahead is the analysis of the remaining tasks of the online stage of NeoQUEST-2015 and the expectation of a bright and sunny (despite being in St. Petersburg) event "NeoQUEST-2015". Participants will have a tense struggle of 8 hours in length, and guests will enjoy contests, presentations, practical workshops, gifts and communication with colleagues! We remind you that for this - just a couple of steps: go through registration and (for those who are not here) buy tickets to St. Petersburg!